>> One more info. I have generated the keys using openssl command . In that >> case is it required to load the openssl module in charon. ? >>
> The openssl command generates keys in the standardized PKCS#1 > format which can be read by strongSwan's pkcs1 plugin. There > is no need to load the openssl plugin. Your problem is that > the file '/etc/ipsec.d/private/211Key.pem' does not contain a > private key. The contents of a PEM-encoded private Key file > should have the following format Hi Andreas If you say so then I think I am confused about the creation of keys. I blindly copied the openssl key generation commands from the strongswan readme page http://www.strongswan.org/docs/readme42.htm I followed the following command for generating the host private key ( after setting up the CA keys and openssl.conf to locate the CA keys ) openssl req -newkey rsa:1024 -keyout 211Key.pem -out 211Req.pem and the following command for signing the key openssl ca -in 211Req.pem -days 730 -out 211Cert.pem -notext As an alternative I have also tried with the der format of the keys for which the procedure is given in the documentation section titled " Setting-up a simple CA using strongSwan PKI tool" Even with this I get the same results and the same error message at ipsec start --nofork So what could be going wrong w.r.t key generation ? Regards Shyam -----Original Message----- From: users-bounces+shyamsundar.purkayastha=wipro....@lists.strongswan.org [mailto:[email protected] .org] On Behalf Of Andreas Steffen Sent: Tuesday, April 20, 2010 2:04 PM To: [email protected] Subject: Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue On 20.04.2010 09:53, [email protected] wrote: > >> the error message from the ASN.1 parser means that the >> file "/etc/ipsec.d/private/211Key.pem" does not contain >> a private key but probably an X.509 certificate. > > > After uncommenting the load statement in strongswan.conf I am not > getting the ASN.1 parser error but still the loading of private key > fails. As follows > > 00[CFG] loading secrets from '/etc/ipsec.secrets' > 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders > 00[CFG] loading private key from '/etc/ipsec.d/private/211Key.pem' > failed > > Here is my strongswan.conf file > -------------------------------------------------------------------- > # strongswan.conf - strongSwan configuration file > > charon { > > # number of worker threads in charon > threads = 16 > > # plugins to load in charon > load = des aes sha1 md5 sha2 hmac gmp openssl random pubkey xcbc > x509 stroke pkcs1 pem > #load = aes des sha1 sha2 md5 curl test-vectors pem pkcs1 gcrypt > x509 hmac stroke kernel-netlink updown > If you load the openssl plugin then the private key parsing is done by the openssl module instead of the pkcs1 plugin. The error still persists but you don't get the log output from the strongSwan ASN.1 parser. > plugins { > > sql { > # loglevel to log into sql database > loglevel = -1 > > # URI to the database > # database = sqlite:///path/to/file.db > # database = mysql://user:passw...@localhost/database > } > } > > # ... > } > > pluto { > > # plugins to load in pluto > # load = aes des sha1 md5 sha2 hmac gmp random pubkey > > } > > libstrongswan { > > # set to no, the DH exponent size is optimized > # dh_exponent_ansi_x9_42 = no > } > > --------------------------------------------------------------- > > One more info. I have generated the keys using openssl command . In that > case is it required to load the openssl module in charon. ? > The openssl command generates keys in the standardized PKCS#1 format which can be read by strongSwan's pkcs1 plugin. There is no need to load the openssl plugin. Your problem is that the file '/etc/ipsec.d/private/211Key.pem' does not contain a private key. The contents of a PEM-encoded private Key file should have the following format -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm ... cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY -----END RSA PRIVATE KEY----- if the key is unencrypted or -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429 mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq ... nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J -----END RSA PRIVATE KEY----- if the key is protected by a passphrase. > Regards > Shyam Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
